What is DevSecOps?#
Simply put, DevSecOps is parallel to the changes that happened to development and operations as part of the DevOps transformation. In other words, the goal of DevSecOps is to break down the security silo—similar to how DevOps breaks down the silos between development and operations.
In a lot of organizations today, security is positioned at the “end of the line.” Products, features, and fixes are written, tested, built, tested again, and when they are ready for release, they are vaulted over the wall to security. At this point, any changes that security finds are expensive to make, largely due to all of the development time already invested. It’s also usually the case that the communications were not efficient while the issue was remedied. In this scenario, the security team needs to vault the situation(s) back over the wall to development and operations to resolve, and back and forth until whatever issue(s) are remedied and can then be released to production.
At this juncture, DevSecOps and DevOps should feel very familiar. Just like DevOps, DevSecOps requires weaving together the seemingly disparate teams and workflows. Since there are security implications at every stage of the software development life cycle, or SDLC, (unlike DevOps, which was able to stitch two groups together), DevSecOps requires developer and operations to become more security aware. And in turn, security becomes more aware of the implications of releasing software in production.
Implementing DevSecOps enables you to immediately see a reduction in security vulnerabilities found at the end of the SDLC as security is integrated more and earlier. Other improvements include:
- Fewer security vulnerabilities that make it to production
- Fewer security incidents
- Less time resolving security incidents
- Reduced human error as security checks and tests are included in build pipelines
- Increased user trust
- Builds empathy between teams and breaks down cross-team, adversarial relationships
How to get there?#
There are two large pillars that support DevSecOps: 1) the cultural changes and 2) the supporting technical changes. The cultural changes that are covered in this guide are centered around improving cross-team communication, collaboration, awareness, and empathy. More specifically, there are activities that each of the development, operations, and security teams can do that will allow them to experience “a day in the life” and beyond for the other disciplines.
The technical changes that support a DevSecOps culture involve integrating security in every aspect of the SDLC, a process called “shifting security left”. The purpose of this guide will not be prescriptive for how to shift left, but rather to provide the information necessary for development, operations, and security to meet their current challenges and build a path forward that best suits the current state and desired end state.